Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. User access is allowed through a Cisco IOS® Firewall dynamically, without any compromise in the security restrictions.

This document is not restricted to specific software and hardware versions.

The information presented in this document was created from devices in a specific lab environment. In this case, the lab environment consisted of a 2620 Router running Cisco IOS® Software Release 12.3(1). All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Lock-and-key access allows an external event to place an opening in the Cisco IOS Firewall. After this opening exists, the router is susceptible to source address spoofing. In order to prevent this, provide encryption support using IP encryption with authentication or encryption.

Spoofing is a problem with all existing access lists. Lock-and-key access does not address this problem.

Because lock-and-key access introduces a potential pathway through your network firewall, you need to consider dynamic access. Another host, spoofing your authenticated address, gains access behind the firewall. With dynamic access, there is the possibility that an unauthorized host, spoofing your authenticated address, gains access behind the firewall. Lock-and-key access does not cause the address spoofing problem. The problem is only identified here as a concern to the user.

Each dynamic access list forces an access list rebuild on the silicon switching engine (SSE). This causes the SSE switching path to slow down momentarily.

Dynamic access lists require the idle timeout facility (even if the timeout is left to default). Therefore, dynamic access lists cannot be SSE switched. These entries are handled in the protocol fast-switching path.

Watch the border router configurations. Remote users create access list entries on the border router. The access list grows and shrinks dynamically. Entries are dynamically removed from the list after either the idle-timeout or max-timeout period expires. Large access lists degrade packet switching performance.

When you want a remote host to be able to access a host in your internetwork through the Internet. Lock-and-key access limits the access beyond your firewall on an individual host or net basis.

When you want a subset of hosts on a network to access a host on a remote network protected by a firewall. With lock-and-key access, you can enable only a desired set of hosts to gain access by having them authenticate through a TACACS+ or RADIUS server.

A user opens a Telnet session to a border router configured for lock-and-key access.

The Cisco IOS software receives the Telnet packet. It performs a user authentication process. The user must pass authentication before access is allowed. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server.

Cisco recommends that you use a TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database.

You can authenticate the user on the router or with a TACACS+ or RADIUS server.

Note: These commands are global unless otherwise indicated.

On the router, you need a username for the user for local authentication.

username test password test

The presence of login local on the vty lines causes this username to be used.

line vty 0 4
login local

If you do not trust the user to issue the access-enable command, you can do one of two things:

Associate the timeout with the user on a per-user basis.

username test autocommand access-enable host
timeout 10

or

Force all users that Telnet in to have the same timeout.

line vty 0 4
login local
autocommand access-enable host timeout 10

Note: The 10 in the syntax is the idle timeout of the access list. It is overridden by the absolute timeout in the dynamic access list.

Define an extended access list that is applied when a user (any user) logs into the router and the access-enable command is issued. The maximum absolute time for this "hole" in the filter is set to 15 minutes. After 15 minutes, the hole closes whether or not anyone uses it. The name testlist needs to exist but is not significant. Limit the networks to which the user has access by configuring the source or destination address (here, the user is not limited ).

access-list 120 dynamic testlist timeout 15 permit ip any any

Define the access list needed to block everything except the ability to Telnet into the router (in order to open a hole, the user needs to Telnet to the router). The IP address here is the Ethernet IP address of the router.

Enter the host name, the IP address, and the key used to encrypt communication between the AAA server and the NAS. Select TACACS+ (Cisco IOS) as the authentication method. When you are finished, click Submit +Restart to apply the changes.

Click User Setup, enter a user ID, and click Add/Edit.

Choose a database to authenticate the user. (In this example, the user is "test" and the internal database of the ACS is used for authentication). Enter a password for user, and confirm the password.

Choose the group to which the user is assigned and check Use group setting. Click Submit.

Click Group Setup. Select the group to which the user was assigned in step 7. Click Edit Settings.

Scroll down to the TACACS+ Settings section. Check the box for Shell exec. Check the box for Auto command. Enter the auto-command to be performed upon successful authorization of the user. (This example uses the access-enable host timeout 10 command.) Click Submit+Restart.

In order to use RADIUS, configure a RADIUS server to force authentication to be done on the RADIUS server with authorization parameters (the autocommand) to be sent down in vendor-specific attribute 26, as shown here:

Complete these steps to configure RADIUS on Cisco Secure ACS for Windows:

Open a web browser and enter the address of your ACS server, which is in the form of http://<IP_address or DNS_name>:2002. (This example uses a default port of 2002.) Log in as admin.

Click Network Configuration. Click Add Entry to create a Network Device Group that contains the NAS. Enter a name for the group and click Submit.

Click Add Entry to add an AAA client (NAS).

Enter the host name, the IP address, and the key used to encrypt communication between the AAA server and the NAS. Select RADIUS (Cisco IOS/PIX) as the authentication method. When you are finished, click Submit +Restart to apply the changes.

Click User Setup, enter a user ID, and click Add/Edit.

Choose a database to authenticate the user. (In this example, the user is "test" and the internal database of the ACS is used for authentication). Enter a password for user, and confirm the password.

Choose the group to which the user is assigned and check Use group setting. Click Submit.

Click Group Setup and select the group to which the user was assigned in the previous step. Click Edit Settings.

Scroll down to the Cisco IOS/PIX RADIUS Attributes section. Check the box for cisco-av-pair. Enter the shell command to be performed upon successful authorization of the user. (This example uses shell:autocmd=access-enable host timeout 10.) Click Submit+Restart.